Secret tech lets governments collect masses of data from your apps
Secret tech lets governments collect masses of data from your apps
Law enforcement agencies can access vast troves of data from devices and from popular apps with the push of a button using cloud extraction technology.
KEY POINTS
Cloud extraction is on the rise and allows law enforcement agencies to take huge amounts of your data from the cloud.
If law enforcement seize a device or take it from a victim of crime, they can extract tokens or passwords from the device, which lets them get access to data, including from device back-ups such as iCloud and from apps such as Uber, Instagram, Slack, Gmail, Alexa and WhatsApp.
Despite huge amounts of data being stored in the cloud, a YouGov poll revealed that in the UK 45.6% of people have not thought about where data created by apps on their phone is stored and 44.3% of people do not know or think that apps on their phone use cloud storage.
Emotion and facial recognition can be applied to extracted data, for example across photos.
Cloud extraction software enables ‘continual tracking’ so law enforcement can secretly monitor you, even if they give you your phone back.
Privacy International is concerned companies aren’t doing enough to protect their customers’ data, and have demanded that they take steps to do so.
A large number of apps on smart phones store data in the cloud. Law enforcement can access these vast troves of data from devices and from popular apps with the push of a button using cloud extraction technology.
Mobile phones remain the most frequently used and most important digital source for law enforcement investigations. Yet it is not just what is physically stored on the phone that law enforcement are after, but what can be accessed from it, primarily data stored in the Cloud.
Cellebrite, a prominent vendor of surveillance technology used to extract data from mobile phones, notes in its Annual Trend Survey that in approximately half of all investigations, cloud data ‘appears’ and that ‘[t]ypically, this data involves social media or application data that does not reside on the physical device.’
Cloud storage, data which is stored on third-party servers and typically used by device and application manufacturers to back up data, is increasingly used for social media, internet-connected devices and apps. This opens the door to a huge amount of personal information. Extraction companies claim they can obtain data from the most popular cloud services including WhatsApp, iCloud, Google, Facebook, Twitter and even the users actual voice from Amazon Alexa.
Even if you use end to end encrypted messaging, if you back up your WhatsApp messages to the Cloud, they are accessible to law enforcement if they use extraction technology.
Despite the huge amounts of data stored in the cloud, there is limited public understanding. Privacy International commissioned a poll from YouGov, which found that in the UK of those polled:
* 45.6% of people have not thought about where data created by apps on their phone is stored.
* 44.3% of people do not know or think that apps on their phone use cloud stoage.
* 47% of people when asked whether they understood what the term ‘cloud computing’ means responded ‘not well’.
Once law enforcement have a users’ credentials, not only can they obtain their data, they can easily and secretly track a user’s online behaviour such as their posts, likes, events and connections using their cloud-based accounts, even after they have returned the phone. They could even impersonate the individual.
As a result, Privacy International is demanding that 17 tech companies specifically targeted by extraction surveillance companies to outline their position.
Camilla Graham Wood, solicitor at Privacy International states:
“We are only just starting to gain a modicum of transparency around law enforcement use of mobile phone extraction, yet there are new concerning technologies on the horizon such as cloud extraction, about which very little is known.
Cloud extraction technologies give law enforement the ability to access eye-watering amounts of highly sensitive personal data, not only about individuals, but also their friends, colleagues and acquaintances. Concerningly, such technology also allows authorities to deploy facial recognition tech across people’s media as well as the ability to conduct continual monitoring of an individual’s social media without them ever knowing.
Much of this data is uploaded to the cloud, often without our knowledge, by the big tech companies. This risks making our personal data more vulnerable, not more secure. There is an urgent need for the companies who we entrust with our data to ensure they protect it from the tech which can be operated by unskilled operatives at the push of a button.
It is a matter of urgency that law enforcement act with a greater degree of transparency in relation to the new forms of surveillance they are using, and that laws which are designed to protect against abuses are updated.”
Notes to Readers
Privacy International have conducted detailed research into cloud analytics including the companies selling this technology, the types of apps and data that can be extracted and that companies offer facial and emotional recognition tools to analyse extracted data